Google’s Project Zero to wait longer before disclosing bug details

Google’s Project Zero to wait longer before disclosing bug details

The 30-day grace period is designed to speed up the rollout and adoption of patches



Google’s Project Zero team has announced that it will give vendors and companies an extra 30-day period before it discloses the technical details of a vulnerability.


“Starting today, we’re changing our Disclosure Policy to refocus on reducing the time it takes for vulnerabilities to get fixed, improving the current industry benchmarks on disclosure timeframes, as well as changing when we release technical details,” said Tim Willis, the senior security engineering manager of Google’s elite bug-hunting crew.


Previously, in line with the 2020 disclosure policy, vendors were afforded a 90-day cycle between the initial vulnerability was reported and until its details were publicly disclosed, with the public disclosure taking place regardless of whether the bug was fixed or not.


However, according to its new vulnerability disclosure policy, developers will still have 90 days to fix the vulnerability. However, Project Zero will give them another 30 days before it publishes details about the flaw, as long as the bug is fixed within that period. The ultimate aim is also to give users enough time to patch their systems.


Longer to patch


The new disclosure policy also affects vulnerabilities that are actively exploited in the wild. While previously these flaws were automatically disclosed seven days after they were reported, vendors can now request a three-day grace period. If the bug is fixed within seven days, Project Zero will wait 30 days before it reveals technical details about the security flaw.


The main idea behind the 2020 policy was that vendors who wanted to give users more time to patch their systems would focus ..

Support the originator by clicking the read the rest link below.